takescoop / eslint-config-scoop Goto Github PK
View Code? Open in Web Editor NEWScoop's ESLint configuration, primarily for Node.js
License: MIT License
eslint-config-scoop's People
Contributors
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Stargazers
Watchers
eslint-config-scoop's Issues
eslint-plugin-require-path-exists should maybe be peer dependency?
With npm 2 (shipped w/ node 4) this project won't work because it doesn't flatten the dependency (and more precisely, because eslint is looking for a peer dependency which is outlined here: eslint/eslint#3458)
Multiline function invocation should place last parenthesis on a new line
From @andrewtamura
// wrong:
doSomething(
doSomethingA,
doSomethingB)
// correct:
doSomething(
doSomethingA,
doSomethingB
)Andrew suggested we can fix via the correct config of function-paren-newline.
I am a bit worried that could cause regressions from our standard styles so we should include a more complete example file to test for that.
enforce spacing around commas
WS-2021-0638 (High) detected in mocha-9.1.3.tgz
WS-2021-0638 - High Severity Vulnerability
Vulnerable Library - mocha-9.1.3.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-9.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/package.json
Dependency Hierarchy:
- ❌ mocha-9.1.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: 2021-09-18
URL: WS-2021-0638
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-09-18
Fix Resolution: mocha - 10.1.0
Step up your Open Source Security Game with Mend here
consider enabling global-require rule
http://eslint.org/docs/rules/global-require
This generally matches our style. There are a few exceptions we tend to make (often around using knex).
CVE-2022-46175 (High) detected in json5-1.0.1.tgz
CVE-2022-46175 - High Severity Vulnerability
Vulnerable Library - json5-1.0.1.tgz
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
- eslint-import-resolver-typescript-2.5.0.tgz (Root Library)
- tsconfig-paths-3.12.0.tgz
- ❌ json5-1.0.1.tgz (Vulnerable Library)
- tsconfig-paths-3.12.0.tgz
Found in base branch: master
Vulnerability Details
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution: json5 - 2.2.2
Step up your Open Source Security Game with Mend here
disallow same line if
http://eslint.org/docs/rules/curly
We are practicing this by convention at this point, though there are some leftover spots. We want to discourage:
if (condition) x = 5and encourage (at least with regard to curly brace style):
if (condition) {
x = 5
}const x = { 'something': {} } fails linting
const x = { 'something': {} }When the value is an empty object the config is currently expecting this, which seems off.
{ 'something': {}}The error is:
error There should be no space before '}' object-curly-spacing
reported by @eladidan
upgrade to eslint 3.x.x
migration guide: http://eslint.org/docs/user-guide/migrating-to-3.0.0
I've reviewed the new recommended rules & don't think we need to change anything. no-unsafe-finally is a nice addition.
This should be a semver major release for this repo since peers will need to be bumped in all the dependent projects.
enforce commonJS import style
Our commonJS import style is not enforceable by the built-in eslint rules. We can write our own ESLint plugin to enforce our commonJS import style.
Here is the current style that we would like to enforce:
- imports should be organized into three groupings: First: node core modules, second: any module that would get installed in node_modules, finally: project modules (local imports). Related discussion: https://github.com/TakeScoop/handbook/issues/82
- Within each grouping, the assigned variables should be sorted by lexicographical order (e.g
barbeforefoo) - the first grouping should have padding if the directive above is
use strict
for valid-typeof rule, enable requireStringLiterals
we only do comparisons like this:
if (typeof x === 'string') {
console.log('yep')
} We want to avoid things like this:
if (typeof x === undefined) {
console.log('this never evals true')
}It looks like the requireStringLiterals option was added to eslint in August to error on the latter case since in JS undefined can be reassigned eslint/eslint#6698
add error for no-return-assign
Aren't really any valid use cases for us doing something like below, so enable this rule.
function doSomething() {
return foo = bar + 2;
}enable no-var to require using let and const
https://eslint.org/docs/rules/no-var
This is not part of eslint:recommended.
CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: eslint-config-scoop/package.json
Path to vulnerable library: eslint-config-scoop/node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy:
- mocha-5.2.0.tgz (Root Library)
- mkdirp-0.5.1.tgz
- ❌ minimist-0.0.8.tgz (Vulnerable Library)
- mkdirp-0.5.1.tgz
Found in HEAD commit: cde4bf2d18512e8b8ead138d85ff396e125d1e7b
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
WS-2019-0425 (Medium) detected in mocha-5.2.0.tgz
WS-2019-0425 - Medium Severity Vulnerability
Vulnerable Library - mocha-5.2.0.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-5.2.0.tgz
Path to dependency file: eslint-config-scoop/package.json
Path to vulnerable library: eslint-config-scoop/node_modules/mocha/package.json
Dependency Hierarchy:
- ❌ mocha-5.2.0.tgz (Vulnerable Library)
Found in HEAD commit: cde4bf2d18512e8b8ead138d85ff396e125d1e7b
Found in base branch: master
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: v6.0.0
Release Date: 2020-05-07
Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559
Step up your Open Source Security Game with WhiteSource here
try MemberExpression in indent rule
Example of what our settings would be:
"indent": [
2,
4,
{
"SwitchCase": 1,
"MemberExpression": 0
}
]blocked by #3
Disallow newlines before closing a block
Disallow newlines before the closing of a block. Eg:
Disallowed:
function foo() {
console.log('meaningful work')
}
if (bar) {
baz()
}enforce spacing for `async` keyword
Desired
// One space after the `async` keyword
async () => stuff
async function() { ... }Not Desired
// No spaces after the `async` keyword
async() => stuff
// More than one space after `async` keyword
async () { ... }CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
- eslint-8.4.1.tgz (Root Library)
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2021-23566 (Medium) detected in nanoid-3.1.25.tgz
CVE-2021-23566 - Medium Severity Vulnerability
Vulnerable Library - nanoid-3.1.25.tgz
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid/package.json
Dependency Hierarchy:
- mocha-9.1.3.tgz (Root Library)
- ❌ nanoid-3.1.25.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (mocha): 9.1.4
Step up your Open Source Security Game with Mend here
Version of eslint doesn't allow specifying ecmaVersion 10
The version of eslint that we're on does not yet support ecmaVersion 10 so apps on node 10 must specify ecmaVersion: 8.
Array spacing not enforced
See the following failing test: https://circleci.com/gh/TakeScoop/eslint-config-scoop/69
We should enforce the following style:
['one', 'two']over this style:
[ 'one', 'two' ]Enable lines-between-class-members
This will enforce new lines between class methods and so on. Seems pretty consistent with our style but have occasionally seen inconsistency by devs.
Enforce spacing after !
Right now, the linter doesn't enforce (! ) vs. (!). Our style prefers the latter.
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Edited/Blocked
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- chore(deps): update dependency @types/node to v20
- chore(deps): update dependency mocha to v10 (
mocha,@types/mocha) - chore(deps): update dependency typescript to v5
- chore(deps): update node orb to v5
- fix(deps): update dependency eslint-import-resolver-typescript to v3
- fix(deps): update typescript-eslint monorepo to v6 (major) (
@typescript-eslint/eslint-plugin,@typescript-eslint/parser) - Click on this checkbox to rebase all open PRs at once
Detected dependencies
circleci
.circleci/config.yml
artifactory 1node 4.7.0
npm
package.json
@typescript-eslint/eslint-plugin ^5.5.0@typescript-eslint/parser ^5.5.0eslint-import-resolver-typescript ^2.5.0eslint-plugin-implicit-dependencies ^1.0.4eslint-plugin-import ^2.25.3@hapi/code ^8.0.5@types/mocha ^9.0.0@types/node ^16.11.11eslint ^8.0.0mocha ^9.0.0typescript ^4.5.2eslint ^8.0.0node >=12
- Check this box to trigger a request for Renovate to run again on this repository
Disallow use of the comma operator
I've never seen anybody deliberately use the comma operator, but I've run into a couple cases of people accidentally using it where they meant to use a comma for something normal and being surprised that it wasn't a syntax error.
ESLint has the no-sequences rule that disallows the comma operator outside for-loops and expressions wrapped inside parentheses, but I think we should actually just bar it altogether:
{
"rules": {
"no-restricted-syntax": ["error", "SequenceExpression"]
}
}
Enforce newline before returns
Add [{ blankLine: "always", prev: "*", next: "return" }] to the padding-line-between-statements config to enforce newlines before returns when the return statement is not the only line of code in the block. Examples of enforcement can be found here, the first example specifically:
https://eslint.org/docs/rules/padding-line-between-statements#examples
Allow use of Promise global
With increasing interesting in async/await and diminishing interest in Bluebird, it seems appropriate to allow applications to use Promise like any other global. We could still allow users to do const Promise = require('bluebird') (seems confusing) or make a breaking change preventing global overrides and promoting const Bluebird = require('bluebird'). I think in a world where Bluebird is on its way out as a standard feature of Node apps it's worth switching old apps to Bluebird as an identifier when they upgrade the linter.
See https://github.com/TakeScoop/kube-run/pull/1/files#r258305516
Should disallow multiline arrow function bodies without braces
There was some code like this:
.then(function(x) {
return Promise.map([6, 3], daysSince =>
doSomething({
x: 'x',
daysAgo: daysSince
})
)
})The lone ) looks really out of place compared to rest of our code and readability here is harmed. This actually is an implicit return but looks like someone forgot to return or forgot to close a bracket.
Testing: we should check the actual failure reason for failure fixtures
It's risky to not check this as another rule could cause linting of these failure cases to "fail" (i.e. pass testing) and we wouldn't notice the change.
CVE-2021-35065 (High) detected in glob-parent-5.1.2.tgz
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.2.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
- mocha-9.1.3.tgz (Root Library)
- chokidar-3.5.2.tgz
- ❌ glob-parent-5.1.2.tgz (Vulnerable Library)
- chokidar-3.5.2.tgz
Found in base branch: master
Vulnerability Details
The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
enforce line break style in multi-element arrays
https://eslint.org/docs/rules/array-element-newline
The consistent option to array-element-newline rule will enforce the style that we want.
/*eslint array-element-newline: ["error", "consistent"]*/
var a = [];
var b = [1];
var c = [1, 2];
var d = [1, 2, 3];
var e = [
1,
2
];
var f = [
1,
2,
3
];
var g = [
function foo() {
dosomething();
}, function bar() {
dosomething();
}, function baz() {
dosomething();
}
];
var h = [
function foo() {
dosomething();
},
function bar() {
dosomething();
},
function baz() {
dosomething();
}
];Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.